itsMe Posted August 10, 2022 Share Posted August 10, 2022 This is the hidden content, please Sign In or Sign Up Shhhloader is a SysWhispers/GetSyscallStub Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub that uses syscalls to try and bypass AV/EDR. The included python builder will work on any Linux system that has Mingw-w64 installed. The tool has been confirmed to successfully load Meterpreter and a Cobalt Strike beacon on fully updated systems with Windows Defender enabled. The project itself is still in a PoC/WIP state, as it currently doesn’t work with all payloads. New major features include GetSyscallStub integration, Obfuscator-LLVM support, Module Stomping, automatic DLL Proxy generation, new sandbox evasion methods, and storing shellcode as an English word array. Features: 7 Different Shellcode Execution Methods (ModuleStomping, QueueUserAPC, ProcessHollow, EnumDisplayMonitors, RemoteThreadContext, RemoteThreadSuspended, CurrentThread) PPID Spoofing Block 3rd Party DLLs GetSyscallStub & SysWhispers2 Obfuscator-LLVM (OLLVM) Support Automatic DLL Proxy Generation Syscall Name Randomization Store Shellcode as English Word Array XOR Encryption with Dynamic Key Generation Sandbox Evasion via Loaded DLL, Domain, User, Hostname, and System Enumeration Tested and Confirmed Working on: Windows 10 21H1 (10.0.19043) Windows 10 20H2 (10.0.19042) Windows Server 2019 (10.0.17763) Changelog v1.5 Added GetSyscallStub integration, Obfuscator-LLVM support, Module Stomping, automatic DLL Proxy generation, new sandbox evasion methods, and storing shellcode as an English word array. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts